Integrate > Service Manager integration methods and tools > Web Services > SOAP API > Consume an external Web Service > Use SSL connections to connect to an external Web Service

Use SSL connections to connect to an external Web service

When using SSL connections to an external Web service, the Service Manager server acts like a client and must be set up accordingly. The Web service provider must send the root certificate or the certificate authority’s (CA) certificate to the Service Manager administrator. If it is a certificate hierarchy, all certificates must be sent. Add this certificate to the Service Manager cacerts file using keytool.

For an anonymous SSL connection with an external Web Service using WSDL2JS, you need a root certificate file which includes the certificate for the CA that signed the remote Web Server's certificate. The cacerts file that is shipped with Service Manager may not contain the needed CA certificates and needs to be edited as described above.

When the root certificate file is saved, the following parameters must be added to sm.ini on the Service Manager server if they do not already exist. These parameters identify the name of the root certificate or authority's certificate as well as the Service Manager server’s keystore.

Parameter Description
-truststoreFile The TrustStore file to use to validate client certificates. Default to the cacerts in the RUN\jre\security directory.
-truststorePass Identifies the password to the keystore file containing the external Web Servics's CA certificate. The pass phrase for the TrustStore file
-keystoreFile Identifies the keystore file containing the Service Manager's server's certificate and private key. Server keystore
-keystorePass Identifies the password to the keystore file containing the Service Manager's certificate and private key. Pass phrase for server keystore.

To enable the SSL encryption, follow these steps:

  1. Stop the Service Manager server.
  2. Open the sm.ini file with a text editor.
  3. Add the following parameters and their values:

    1. keystoreFile
    2. keystorePass
    3. truststoreFile:cacerts
    4. truststorePass
  4. Save sm.ini.
  5. Restart the Service Manager sever.
  6. Login to Service Manager with SysAdmin privileges.
  7. Click Tailoring > Web Services > Run WSDL to JS.
  8. Update the endpoint URL to the external Web Service to include the HTTPS protocol. For example: https://remote_server.remote_domain.com:13445/remote_service.wsdl

If the https://<fully qualified server path>:<portnumber>/<Service>.wsdl connection does not work after you make these changes, it is possible that the distinguished name (DN) used to create the certificate is not identical to the fully qualified server path in the URL. Check which DN the certificate is using by asking the provider of the certificate. If it is different from the fully qualified path used in the URL, request a new certificate where the DN matches the URL. If this cannot be done in a timely manner, the following workaround can be tested:

Go to the server’s hosts file (which is located in etc/hosts on UNIX® systems, and located in c:\winnt\system32\drivers\etc\hosts on Windows systems). In the hosts file, add a line with the fully qualified name of the certificate and the IP address of the machine that runs the Web Service. For example:

mymachine.microfocus.com 10.2.5.77

where "mymachine.microfocus.com" is the distinguished name (DN) of the certificate and 10.2.5.77 is the IP address for the server that hosts the Web Service.

Note This is a temporary workaround, and not a permanent fix. Once the new certificate is issued, that certificate should be put into the root certificate file, and the entry in the hosts file should be removed.

Caution When you use SSL connections on high-frequency Web Services where many requests per second are made, performance is negatively impacted because an SSL handshake occurs for each SOAP request. The SSL handshake involves numerous TCP requests and responses as the two partners identify each other, negotiate the encryption algorithm, and perform other required tasks. To avoid this issue, ensure to use keep-alive connections. These will perform the handshake once and then SSL is set up for the length of the session.